Bug 1339129

Summary: ipa vault-archive overwrites an existing value without warning
Product: Red Hat Enterprise Linux 7 Reporter: Marc Muehlfeld <mmuehlfe>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: apetrova, frenaud, ndehadra, pasik, pvoborni, rcritten, sumenon
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:55:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Muehlfeld 2016-05-24 08:33:17 UTC 
Description of problem:
The "ipa vault-archive" command overwrites an existing value without any warning.



Version-Release number of selected component (if applicable):
ipa-admintools-4.2.0-15.el7_2.15.x86_64


How reproducible:
Always.



Steps to Reproduce:
1. Add a value to a vault:
   # ipa vault-archive my-first-vault --data AbcD3fg8
   -----------------------------------------
   Archived data into vault "my-first-vault"
   -----------------------------------------

2. Verify that the value was stored in the vault:
   # ipa vault-retrieve my-first-vault
   ------------------------------------------
   Retrieved data from vault "my-first-vault"
   ------------------------------------------
     Data: AbcD3fg8

3. Re-run the "ipa vault-archive" with a different value for --data:
   # ipa vault-archive my-first-vault --data dmVyeSBzZWNyZXQ=
   -----------------------------------------
   Archived data into vault "my-first-vault"
   -----------------------------------------

4. Verify what's in the vault:
   # ipa vault-retrieve my-first-vault
   ------------------------------------------
   Retrieved data from vault "my-first-vault"
   ------------------------------------------
     Data: dmVyeSBzZWNyZXQ=



Actual results:
Existing data in the vault is overwritten without any notice.


Expected results:
If there is already data in the vault, the user should be notified or ask for confirmation before overwriting.
Comment 2 Petr Vobornik 2016-06-01 14:55:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5922
Comment 3 Petr Vobornik 2016-06-01 14:59:40 UTC 
Current behavior is consistent with other IPA commands. None of ipa mod commands asks for confirmation and therefore it should be the same here.

But it may not be clear that vault can contain only one value. So this behavior can be documented better - both in vault help and Linux Identity and Management guide.
Comment 4 Aneta Šteflová Petrová 2016-06-06 07:28:06 UTC 
I agree that with mod commands, it's not necessary to have a warning. Whenever someone is modifying something, they should expect that something to be changed or replaced.

However, from my understanding of the RFE, the purpose of "ipa vault-archive" is to save data (not to change it). So as a user, I wouldn't expect anything to be rewritten -- that's why I agree with Marc that a request for confirmation would be nice.
Comment 7 Florence Blanc-Renaud 2018-05-22 15:05:22 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e06c7566fdc540734eb62eb2ff1d149a6378e97a
Comment 8 Florence Blanc-Renaud 2018-05-23 07:29:19 UTC 
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/9864ea2313978de7a6e6333b611390a7d2320338
Comment 11 Sudhir Menon 2018-08-07 09:52:42 UTC 
Fix is seen in the "ipa vault help" 
Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)  using

ipa-server-4.6.4-3.el7.x86_64
sssd-1.16.2-11.el7.x86_64
389-ds-base-1.3.8.4-9.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-4.el7.noarch
selinux-policy-3.13.1-211.el7.noarch


[root@master]# ipa-kra-install 
The ipa-kra-install command was successful

[root@master yubico]# ipa vault-add
Vault name: my-first-vault
New password: 
Enter New password again to verify: 
----------------------------
Added vault "my-first-vault"
----------------------------
  Vault name: my-first-vault
  Type: symmetric
  Salt: 8eIXcphEJ1mlXil/iI/jgw==
  Owner users: admin
  Vault user: admin
[root@master yubico]# ipa vault-archive my-first-vault --data AbcD3fg8
Password: 
-----------------------------------------
Archived data into vault "my-first-vault"
-----------------------------------------
[root@master yubico]# ipa vault-retrieve my-first-vault
Password: 
------------------------------------------
Retrieved data from vault "my-first-vault"
------------------------------------------
  Data: AbcD3fg8
[root@master yubico]# ipa vault-archive my-first-vault --data dmVyeSBzZWNyZXQ=
Password: 
-----------------------------------------
Archived data into vault "my-first-vault"
-----------------------------------------

[root@master ~]# ipa help vault
Vaults
Manage vaults.

Vault is a secure place to store a secret. One vault can only
store one secret. When archiving a secret in a vault, the
existing secret (if any) is overwritten.
Comment 13 errata-xmlrpc 2018-10-30 10:55:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187